At Advance Track System (Pvt) Ltd ("we", "us", "the Company") the security of our GPS tracking platform, customer portal, mobile applications, and the data they hold is a core responsibility. This Security Policy describes the technical and organisational measures we use to protect customer accounts, vehicle and location data, connected devices, and our infrastructure. It supports our Privacy Policy, Data Protection Policy, and Compliance page, and applies across our web portal, our mobile apps on Google Play and the Apple App Store, and the Traccar-based tracking engine hosted on secure cloud infrastructure.
1. Infrastructure & Data Security
Our services run on reputable cloud infrastructure with layered protections. We separate environments, restrict network access, and keep operating systems, dependencies, and the tracking engine updated with security patches on a regular basis. We protect data both while it is moving and while it is stored:
- Encryption in transit — communication between apps, browsers, tracking devices, and our servers is encrypted using current, industry-standard transport encryption (TLS).
- Encryption at rest — sensitive data stored on our infrastructure is protected using encryption and secure storage practices.
- Secret handling — credentials, tokens, and integration secrets are stored using strong hashing or encryption and are never exposed in logs or client applications.
2. Access Controls & Role-Based Permissions
Access to data and functions within the platform is governed by role-based access control (RBAC) following the principle of least privilege. Users are granted only the permissions necessary for their role. Company staff, corporate portal administrators, and end users each operate within clearly defined scopes, so customers can only view and manage the vehicles, assets, and records that belong to their organisation. Administrative and privileged functions are restricted to authorised personnel and are separated from ordinary user activity. Significant actions — such as sign-in events, permission changes, data edits, deletions, and device commands — are recorded in tamper-resistant audit logs to provide accountability.
3. Account Security
Access to the platform is protected by user credentials, and we enforce sensible controls to reduce the risk of unauthorised access:
- Minimum length and complexity requirements are applied when passwords are created or changed.
- Passwords are never stored in plain text; they are protected using strong, industry-standard one-way hashing with salting.
- Users are encouraged to use unique passwords that are not reused across other services, and to change them promptly if compromise is suspected.
- Repeated failed sign-in attempts are rate limited to defend against brute-force and credential-stuffing attacks.
4. OTP and New-Device Login
To strengthen account security, we use one-time passcodes (OTP) and step-up verification for sensitive actions such as sign-in from a new or unrecognised device, account recovery, and certain high-impact changes. OTPs are time-limited, single-use, and delivered through trusted channels such as email or SMS via our messaging providers. Trusted-device recognition may be offered to reduce repeated prompts while maintaining a strong security posture. These controls help ensure that only the legitimate account holder can access the account, even if a password is exposed.
5. Session Security
User sessions are protected using signed tokens with limited lifetimes. Sessions can expire after inactivity, and sensitive events — such as a password change or a security concern — can revoke active sessions so that a user must sign in again. We apply protections against common web threats, and we recommend that customers sign out on shared devices and keep their apps and browsers up to date.
6. Device and SIM Security
Tracking devices communicate with the platform using device-specific identifiers and protected server settings. We manage device enrolment, secret rotation, and command authorisation so that only authorised users can issue device commands. SIM cards supplied for connectivity are provisioned for the tracking service and should not be removed, transferred, or used for other purposes. Customers must keep physical control of their vehicles and devices and report any suspected tampering, loss, or theft without delay so that we can help protect the account.
7. Employee Access Limitations
Access to customer data by our staff is limited to what is necessary to operate, support, and maintain the service. Employee and technician access is granted on a need-to-know, role-based basis, is subject to confidentiality obligations, and can be revoked when it is no longer required or when a person leaves the Company. Privileged administrative actions are logged, and we train our staff on secure handling of customer information.
8. Physical Security
Our offices, control room, and device stock are protected by appropriate physical security measures, including access control to premises and secure handling of tracker inventory and SIM cards. Our production data is hosted in professionally managed data-centre environments that maintain their own physical and environmental controls. These measures reduce the risk of unauthorised physical access to systems, devices, and records.
9. Monitoring and Incident Response
We monitor our systems for availability, errors, and unusual activity. Automated logging and alerting help us detect potential problems early, including suspicious sign-in patterns, abnormal traffic, and service disruptions. If a security incident is detected, our team follows an incident-response process to contain the issue, investigate its cause and scope, remediate affected systems, and restore normal service. Where a confirmed incident affects personal data, we will notify affected customers and any relevant authorities as required by applicable law and our Data Protection Policy.
10. Responsible Disclosure of Vulnerabilities
We welcome reports from security researchers and customers who identify potential vulnerabilities in our services. If you believe you have found a security issue, please report it privately to support@advancetracksystem.com and include enough information for us to reproduce and understand the problem. We ask that you do not exploit the issue, access or modify data that is not yours, or publicly disclose the issue before we have had a reasonable opportunity to investigate and address it. We will acknowledge valid reports, work to resolve confirmed issues promptly, and treat researchers who act in good faith fairly.
11. Customer Responsibilities
Security is a shared effort. While we protect the platform and infrastructure, customers play an important role by keeping credentials confidential, enabling available security features such as OTP, managing user access responsibly, keeping apps updated, maintaining physical control of vehicles and devices, and reporting suspected compromise without delay. Together these measures help keep accounts and data safe.
12. Contact
To report a security concern or ask about this Security Policy, please contact:
- Advance Track System (Pvt) Ltd
- Email: support@advancetracksystem.com
- Helpline: 03-111-777-354
- Website: www.advancetracksystem.com
- Business hours: Monday to Saturday, 9:00 AM to 6:00 PM (Pakistan time)
